A widespread exploitation campaign is targeting WordPress websites with GutenKit and Hunk Companion plugins vulnerable to critical-severity, old security issues that can be used to achieve remote code execution (RCE).WordPress security firm [Wordfence says](https://www.wordfence.com/blog/2025/10/mass-exploit-campaign-targeting-arbitrary-plugin-installation-vulnerabilities/) that it blocked 8.7 million attack attempts against its customers in just two days, October 8 and 9.The campaign expoits three flaws, tracked as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, all rated critical (CVSS 9.8).[CVE-2024-9234](https://www.cve.org/CVERecord?id=CVE-2024-9234) is an unauthenticated REST-endpoint flaw in the GutenKit plugin with 40,000 installs that allows installing arbitrary plugins without authentication.[CVE-2024-9707](https://www.cve.org/CVERecord?id=CVE-2024-9707) and [CVE-2024-11972](https://www.cve.org/CVERecord?id=CVE-2024-11972) are missing-authorization vulnerabilities in the themehunk-import REST endpoint of the Hunk Companion plugin (8,000 installs) which can also lead to installing arbitrary plugins.An authenticated attacker can leverage the vulnerabilities to introduce another vulnerable plugin that allows remote code execution.* CVE-2024-9234 affects GutenKit 2.1.0 and earlier* CVE-2024-9707 impacts Hunk Companion 1.8.4 and older* CVE-2024-11972 impacts Hunk Companion 1.8.5 and previous versionsFixes for the three vulnerabilities became available in Gutenkit 2.1.1, released in October 2024, and Hunk Companion 1.9.0, released in December 2024. However, despite the vendor fixing them almost a year ago, many websites continue to use vulnerable versions.  **Number of blocked attacks** *Source: Wordfence*Wordfence’s observations based on the attack data indicate that researchers say that threat actors are hosting on GitHub a malicious plugin in a .ZIP archive called ‘up’.The archive contains obfuscated scripts that allow uploading, downloading, and deleting files, and changing permissions. One of the scripts that is protected with a password, disguised as a component of the All in One SEO plugin, is used to automatically log in the attacker as an administrator.The attackers use these tools to maintain persistence, steal or drop files, execute commands, or sniff private data handled by the site.When attackers cannot directly reach a full admin backdoor via the installed package, they often install the a vulnerable ‘wp-query-console’ plugin that can be leveraged for unauthenticated RCE.Wordfence has listed several IP addresses that drive high volumes of these malicious requests, which can help create defenses against these attacks.As an indicator of compromise, the researchers say that administrators should look for */wp-json/gutenkit/v1/install-active-plugin* and */wp-json/hc/v1/themehunk-import*requests in the site access logs.They should also check the directories */up* , */background-image-cropper* , */ultra-seo-processor-wp* , */oke* , and */wp-query-console*, for any rogue entries.Administrator are recommended to keep all plugins on their websites updated to the latest version available from the vendor.  [Picus Blue Report 2025 is Here: 2X increase in password cracking](https://hubs.li/Q03B5Kw_0)———————————————————————————————46% of environments had passwords cracked, nearly doubling from 25% last year.Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.[Get the Blue Report 2025](https://hubs.li/Q03B5Kw_0) ### Related Articles:[Hackers exploiting critical ‘SessionReaper’ flaw in Adobe Magento](https://www.bleepingcomputer.com/news/security/hackers-exploiting-critical-sessionreaper-flaw-in-adobe-magento/)[Hackers exploit auth bypass in Service Finder WordPress theme](https://www.bleepingcomputer.com/news/security/hackers-exploit-auth-bypass-in-service-finder-wordpress-theme/)[CISA warns of Lanscope Endpoint Manager flaw exploited in attacks](https://www.bleepingcomputer.com/news/security/cisa-warns-of-lanscope-endpoint-manager-flaw-exploited-in-attacks/)[Sharepoint ToolShell attacks targeted orgs across four continents](https://www.bleepingcomputer.com/news/security/sharepoint-toolshell-attacks-targeted-orgs-across-four-continents/)[CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw](https://www.bleepingcomputer.com/news/security/cisa-confirms-hackers-exploited-oracle-e-business-suite-ssrf-flaw/)
Related Tags:
CVE-2024-11972
CVE-2024-9707
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 519 – Web Search Portals
Libraries
Archives
Other Information Services
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 51 – Information
Blog: BleepingComputer
Exploitation of Remote Services
Associated Indicators: